Drupal Security - Best Practices Advisories

You might be wondering if Drupal is a safe choice for your website. Or maybe you’re already using it and want some tips on how to keep it secure. In this article, you’ll learn everything you need to know about Drupal security. You’ll also discover some awesome modules and handy tricks.

Security of your Drupal sites

Drupal CMS Security And The Open Source Issue

Some people think that open source software is risky because anyone can see the code, including hackers. And they also think that the community isn’t reliable enough to develop the system. But that’s not true at all! Drupal’s security is at a high level because of its open source nature. Don’t believe us? Well, did you know that the White House website switched from closed software to Drupal in 2009?

Here are some benefits of this CMS:

  • Community-driven development - since the code is public, anyone can check it for bugs and suggest fixes. This means that problems get solved faster and better.
  • Easier auditing - because the code is public, you and your organization can review it to make sure it meets your security standards. You can even tweak it, if you need to.
  • Transparency - improving Drupal security is always important for community. Unlike some proprietary software owners, who may hide their flaws to save face or money.

So, open source software is not a bad thing at all. In fact, it can be a great choice for security.

Drupal Security - How Does This CMS Keep Your Website Safe?

According to the official Drupal website, these are some of the Drupal’s security features that this CMS offers:

  1. User access control - you can decide who and what can do on your website.
  2. Database encryption - you can protect your data from prying eyes.
  3. Security advisories - you can get alerts about any security issues in Drupal and how to fix them.
  4. Automatic updates and collaboration with GitHub for core validation - you can keep your website up to date and verified.
  5. Prevention of malicious data entry - you can block hackers from entering harmful code into your website.
  6. Mitigation of Denial of Service (DoS) attacks - you can prevent hackers from crashing your website by overwhelming it with requests.
  7. Patching vulnerabilities before they can be exploited - you can stay ahead of the game by fixing any weaknesses before hackers find them. By using these security features, Drupal makes sure that your website is secure.
  1. Access control

    Drupal gives you control over who and what can do on your website. You can create different user roles and give them various permissions. This way, you make sure that everyone only sees and does what they need to. Drupal has a powerful system of roles and permissions to help you with that.

  2. Database Encryption

    Drupal lets you encrypt your data in the database, so no one can snoop on it.

    For example, you can use the Field Encryption module to encrypt specific fields in the database. You can also use encrypted connections to the database server, like SSL/TLS for MySQL and PostgreSQL.

  3. Drupal Security Advisories

    This CMS has a dedicated security team that keeps an eye on the platform for any security issues and works with the community to fix them. They publish security advisories on various Drupal channels (in the tips section below you can find Drupal security advisories).

  4. Automatic Updates and Core Validation Collaboration with GitHub

    Drupal 8 brought in a cool feature called the Automatic Updates module, which updates your Drupal core and contrib modules automatically. When there are new security releases, the module checks for updates, downloads, and applies them. It works with GitHub to make sure that the packages are safe and verified before they go live on your website.

  5. Prevention of Malicious Data Entry

    Drupal uses a mix of input data filtering and output data encoding to stop hackers from injecting harmful code into your website (like cross-site scripting attacks or XSS). Moreover, with Drupal 8 we got the Twig template engine, which encodes variables automatically to reduce the chance of XSS problems.

  6. Mitigation of Denial of Service (DoS) Attacks

    Drupal’s caching system can make your website faster and handle more traffic. Drupal has various built-in features that help you deal with DoS attacks. For example, the Flood Control module lets you set limits on login attempts and password reset requests, protecting your website from brute-force attacks.

  7. Patching Vulnerabilities Before Exploitation

    The Drupal security team is always on the lookout for potential security weaknesses in the platform. When they find them, they work with module developers to create and release patches. They often update the platform before hackers even know about these weaknesses, minimizing the damage.

The Most Common Drupal Vulnerabilities

If you want to know what kind of security issues Drupal faces, you can check out the CVE Details website. It has useful stats on Drupal website breaches. From 2002 to 2022 (except for 2003 and 2004), there were 356 major issues across different Drupal versions:

Drupal system security

Source

What can we learn from this? Drupal had more security issues in 2006-2009, when it became more popular. But over time, the software makers got better at protecting it, and the number of issues went down and stayed stable.

Drupal hacking statistics showed that the biggest security problems were related to these attacks:

  • XSS (cross-site scripting)
  • Execute code
  • Bypass
  • SQL injection
  • Gain information

Is Drupal More Secure Than Other CMSs?

First of all, it’s important to remember that most security vulnerabilities in Drupal involve add-on modules, not the system’s code. The number of issues also depends on how popular a technology is, so the total number of issues doesn’t always tell the whole story.

But in general, Drupal’s security is pretty good compared to other similar solutions. This is partly because the CMS is widely used by big websites like corporations and governments. Let’s see how other popular CMSs compare in terms of security issues (based on the core CMS installation, without modules):

WordPress

Wordpress system security

Source

On this website, you can see security issues for WordPress modules. You'll probably notice that there are a lot more than in the screenshot above. Why? As we said at the start, most problems are with the add-on modules, not the WordPress core. So, remember that any content management system might have more issues than you think.

Joomla

Joomla system security

Source

Magento

Magento security system

Source

PrestaShop

PrestaShop security system

Source

Here is how many security issues different CMS solutions have:

  1. Joomla – 446.
  2. WordPress – 388.
  3. Drupal – 356.
  4. Magento 2 – 221.
  5. PrestaShop – 82.

As you can see, only Magento 2 (not counting the older version 1, which would probably increase the number) and PrestaShop have fewer security issues than Drupal.

How does Drupal keep its security up to date? They have their own Security Team, which gives website owners information about key security issues and how to fix them. Also, to reduce the risk of module-related problems, Drupal has labeling. Unverified modules are marked with a warning, like this:

Drupal module verification

Other plugins that don’t have such warnings are checked and can be used without worrying too much about security. You can find more information about Security Advisories here.

No matter what platform you use, security also depends on how you manage your website. Let’s talk about the best Drupal security practices.

Drupal Security Best Practices

Here are some security tips for Drupal that can help you a lot:

  1. Keep Up with Updates

    Updating your software regularly is the key to security for any software, and Drupal is no different. As the CMS makers say:

    “Drupal has over 29,000 projects that are checked by users for possible issues. For more details, read about security risk levels.

    The security advisory also tells you when a potential problem is found and fixed. It’s very rare for a security issue to be exploited before a security advisory is published.

    So, the most important thing is to update Drupal whenever there is a security advisory for the Drupal core or any external software you use”.

  2. Stay Informed

    To keep up with updates and security advisories, you need to know about them. To do that, it’s good to check some useful sources:

  3. Pay Special Attention to External Extensions

    While the Drupal CMS makers always care about security at the core level, they don’t have direct control over other modules.

    As we said before, you can also learn from the same article that:

    „Profesjonalne audyty bezpieczeństwa witryn Drupala ogólnie wykazały, że zdecydowana większość luk bezpieczeństwa (90% lub więcej) jest obecna w niestandardowych motywach lub modułach napisanych przez deweloperów analizowanej witryny. Kod ten nie został poddany takiemu samemu zakresowi publicznej kontroli, jak to wygląda w przypadku kodu drupal.org”.

    So, if you use other modules or have made custom solutions, you need to keep them in mind.

  4. Use the Right SSL Certificate

    If you want to secure your Drupal deployments, you have to get an SSL certificate. It should be one of the first steps. It's also important for SEO reasons, because Google points this out.

    Of course, if you have an e-commerce site or a government/organizational website, you can't just pick any certificate. You should look for:

    • 256-bit encryption
    • Extended Validation (EV)
    • Support for Perfect Forward Secrecy (PFS)
  5. Store Code in a Version Control System

    If you want to protect your Drupal deployments and other related projects, store your code in a version control system (VCS) like Git. This will allow you to:

    • Track changes: When you apply security updates or make any changes to your Drupal website, VCS lets you see exactly what has changed. This way, you can quickly notice if an update has broken any functionality.
    • Create backups and recover data: VCS keeps a history of your codebase, so you can go back to a previous version if something goes wrong.
    • Detect unauthorized changes: Storing Drupal code in VCS will let you compare the live version of your website with the code stored in the version control system. If there are any differences that you didn't make, it might mean that someone hacked or accessed your website without permission.
  6. Use Trusted Modules

    There are many Drupal security modules that can make your life easier. Besides the ones we mentioned earlier in the article, you should also check out these ones:

    • Two-factor Authentication: Two-factor verification is one of the easiest and most effective security measures for users.
    • Password Policy: Since we're talking about users, you should make sure that the passwords they use are strong enough.
    • CAPTCHA: CAPTCHA is an old but proven way of dealing with spambots.
    • Content Access: Decide who can access and do what with different types of content in a detailed way.
  7. Get Professional Help

    Keeping up with updates, monitoring code, and using proper security modules for Drupal all take skills and time. If you feel like you can't handle these tasks, getting help from a reliable agency or software house is a good idea. They will take care of the security of your Drupal sites, so you can focus on other aspects of running your business.

Summary

We hope that now you know more about the security of Drupal. Use our tips to make your site more secure. Remember that in the ever-changing internet and business world, security should always be your top priority.

Do you have a problem with Drupal security?

Get in touch with experts!